CVE-2026-46509
Prototype Pollution in deepobj JavaScript Library
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deepobj | deepobj | to 1.0.3 (exc) |
| ranfdev | deepobj | to 1.0.3 (exc) |
| ranfdev | deepobj | 1.0.3 |
| ranfdev | deepobj | 1.0.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to manipulate object prototype attributes, potentially leading to unauthorized data modification and impacting data integrity.
Such unauthorized modifications could pose risks to compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and prevention of unauthorized data alteration.
However, the provided information does not explicitly state the direct impact on compliance with these standards.
Can you explain this vulnerability to me?
The vulnerability exists in the deepobj library versions prior to 1.0.3. It allows prototype pollution when property paths contain special keywords like __proto__, constructor, or prototype. This means an attacker could manipulate the prototype of JavaScript objects if these property paths are exposed as user input.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to modify the prototype of JavaScript objects, which can lead to unexpected behavior or security issues in your application. According to the CVSS score, it has a high impact on integrity and a low impact on availability, meaning attackers can alter data or behavior without needing privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying usage of the vulnerable deepobj package versions (1.0.2 and below) in your environment.
You can check the installed version of deepobj in your project by running the following command in your project directory:
- npm list @ranfdev/deepobj
If the version is 1.0.2 or below, your system is vulnerable.
Additionally, you can search your codebase for usage of property paths containing __proto__, constructor, or prototype to identify potential exposure to prototype pollution.
- grep -rE '__proto__|constructor|prototype' ./
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the deepobj package to version 1.0.4 or later, where the prototype pollution vulnerability has been fixed.
Additionally, ensure that property paths used in your application are not derived from untrusted user input to prevent exploitation.
If upgrading immediately is not possible, review and sanitize any inputs that could be used as property paths to block special keywords like __proto__, constructor, and prototype.